The Year I Started Being Afraid

I’ve been in IT since I was a kid. I was a real, stereotypical nerd. While other computer nerds were learning to program games, I turned up my nose at their childish efforts and learned database programming because at 12 I actually wanted to write accounting software. I know, I know, weird. Anyway I say this to underline the fact I’ve been in technology since PC’s first came out and business technology at that.

When the Internet and Windows NT got big in the nineties I switched from development to security – so I’ve been there. But except for a brief period when I got my first constant connection to the Internet, I haven’t been afraid. I’ve respected the risks of the Internet and the danger from the bad guys on it but I’ve never been paranoid like many of my other colleagues in infosec. I’ve always taken sensible measures, ran AV most of the time, kept my attack surface small and monitored my logs. And I’ve only had 2 security incidents over that time. I got the “Ethan Frome” Word virus which was harmless and after that my Windows 2000 based IIS web site suffered SQL injection once which broke some drop down lists on the site.

Then Things Started to Change

So, I’ve always felt pretty safe with my informed, common sense approach. But last year that started to change. Part of it is because my business is growing. More people are on my network. More endpoints connect to my network. There’s more to protect. Part of it is the accelerating sophistication of bad buy technology. Malware is getting more sophisticated and beginning to outpace signature based detection. The bad guys’ work in content related vulnerabilities is outflanking us by going beyond OS and penetrating us via PDFs, JPGs, Flash files, ad nauseam. But the biggest part I think is that that bad guy of the last few years is a new and different bad guy.

It used to be loosely organized nihilistic antisocial kids defacing web sites sometimes for ostensibly social causes but sometimes for the pure nihilism of it. Or, in other instances, it was “security researchers” trying to make a name for themselves or their companies. And the scenarios I would describe in my security and audit classes where just that – theoretical scenarios about would could happen in theory. But when pressed for real examples and anecdotes, I usually came up short. It was more like “this is what could happen if we were in the middle of a Mission Impossible movie.”

But today, Mission Impossible scenarios are happening all the time. The biggest, most respected name in strong 2-factor authentication gets hacked. Then a major defense contractor apparently gets hacked as the fruits of the first attack.

The bad guys are now financially and politically driven. What are more powerful motivators than that? What can gather greater resources and stimulus than money and power? Religion is the only thing I can think of. But money and power are more than enough for now.

So I’m now taking information security more seriously for my business than I ever have before. And while it’s tempting to think about my little datacenters out there exposed to the Internet 24/7 or the data in the few cloud services we use, what keeps me awake at night – well, I’m not really at the point of losing sleep, but let’s say if I did wake up at night and start thinking about the security of my business – is endpoints.

Time to Worry About Your Endpoints

Endpoints worry me. There’s so many. They are so exposed. Endpoints process so much content directly from the Internet. And so intimately – a file server or a SharePoint site may store files from the Internet but it’s on the endpoint where they are actually parsed and rendered. (To be accurate, and while not extremely common, SharePoint servers are getting pretty intimate with content today given how Visio, Access and Excel is actually parsed, rendered and manipulated by SharePoint, within SharePoint itself.) And the bad guys know this. The endpoint is the initial target of APTs.

At least I realize this. Too many folks in management, IT, infosec and Internal Audit, still have the mainframe philosophy superimposed on servers: “all my data is on my server so I need to protect my server. Endpoints aren’t that important because that isn’t where the data resides.”

I’m preaching to the converted when I say “Wrong”, right? Let’s just put aside the reality there is confidential, sensitive data out there on nearly every laptop, workstation and smartphone. Let’s just assume for a minute that no important data is on a given endpoint.

Doesn’t matter. That laptop or other endpoint is still part of your trusted computing base and if it gets compromised, you’re in trouble. After all, I don’t think anyone believes the seed codes for SecurID tokens or anything else proprietary about SecurID technology was on the endpoint initially hacked at RSA when that poor employee opened the intriguing email about next year’s recruiting plan. But that’s where it started and we all know where it ended.

The security of your endpoints – of all our endpoints – is more than important – it’s critical. And I’m going to put some real effort into endpoint security this year. I hope you do too.